Cisco Spark clients behind a Corporate firewall

darren.collins · ‎03-19-2015

Hi,

I've been asked to allow use of the Cisco Spark application from within our Corporate LAN, but it just doesn't seem to work at all. The marketing material suggests that this is an enterprise-grade tool but it seems to fall a long way short in it's current form.

Outbound connectivity from our LAN to the outside world is policed (and audited) and web traffic is relayed via CWS. Your KB suggests that we need to open some ports for this app to work:

tcp 443/8443 for signalling

udp 8000-8100 & 33434-34598 for media

(although in another article it says tcp/udp 33434 only). To which destination addresses are these ports required? We cannot open tcp/443 to all external destinations (and I imagine we are not alone in this).

Packet captures for the Cisco Spark app show that it happily relays traffic through the system-assigned proxy server, and it can display the contents of rooms, but it cannot interact with them at all (cannot send messages or attachments).

Can this be made to work behind a corporate firewall without opening it for web traffic to the entire world?

jminasia · ‎03-19-2015

Hello Darren,

Thank you for your feedback and questions. The media port requirement was updated to a single port 33434 due to feedback and demand.

At this time Spark is not proxy aware and engineering teams are working on improving this area. Can you share what Proxy appliance or server is used?

Regards,

Jean.

Darren Roback · ‎09-22-2015

I have the same question...is there a destination server list for Spark so customers can modify their firewall ACLs and/or bypass proxy servers based on destination address?

miro@cisco.com · ‎09-22-2015

Darren, we can't provide destination services because there are many micro-services running and needed to operate.

Destination address changes as well as adding some new services can happen any time with our dev-ops deployment model either due to adding new features or platform expansion and/or redundancy. Providing you with the static IP range or domain names can become service impacting. As Jean pointed out above, we are working on the solution to support proxy configuration.

-Miro

dehealy · ‎09-23-2015

Hi,

I am a develpoer on the Spark windows client, we recently added support for proxies.

In the latest update of Cisco Spark we support authenticating proxies with Basic, Digest, NTLM, and Negotiate.

Proxy Kerberos authentication is not yet supported.

The latest available update build 1.0.0.1923, proxy support is available.

Can you test with this version, if you see any issues please provide spark logs so I can investigate further.

Log is located at: C:\Users\%user%\AppData\Local\Spark\Logs

Regards,

Des

Darren Roback · ‎09-23-2015

Thanks Des. Do you have any documentation that describes how this is configured on a technical level? Is Spark pulling credentials from the local store?

Mohamad Fayed · ‎10-06-2015

Hello Des,

I'm trying to install the Cisco Spark Desktop version 1.0.0.2326, but I'm getting a strange error:

I have 114 GB free disk space. I've tried to change the compatibility mode to XP, Win 7...etc, but none helped.

tried the installation on different workstations, but also got the same strange error.

============

ERROR DETAILS

============

PLATFORM VERSION INFO

Windows : 6.1.7601.65536 (Win32NT)

Common Language Runtime : 4.0.30319.34209

System.Deployment.dll : 4.0.30319.34244 built by: FX452RTMGDR

clr.dll : 4.0.30319.34209 built by: FX452RTMGDR

dfdll.dll : 4.0.30319.34244 built by: FX452RTMGDR

dfshim.dll : 4.0.41209.0 (Main.041209-0000)

SOURCES

Deployment url : https://download.ciscospark.com/windows/1/Spark.application

Server : nginx

Deployment Provider url : https://download.ciscospark.com/windows/1/Spark.application

Application url : https://f761f1fd9f656f2e2d45-83730c4e8548703e871da6c8c1f49ba7.ssl.cf2.rackcdn.com//1/Application%20Files/Spark_1_0_0_2326/Spark.exe.manifest

IDENTITIES

Deployment Identity : Spark.application, Version=1.0.0.2326, Culture=neutral, PublicKeyToken=a0d42a8553b1ae1e, processorArchitecture=x86

Application Identity : Spark.exe, Version=1.0.0.2326, Culture=neutral, PublicKeyToken=a0d42a8553b1ae1e, processorArchitecture=x86, type=win32

APPLICATION SUMMARY

* Installable application.

ERROR SUMMARY

Below is a summary of the errors, details of these errors are listed later in the log.

* Activation of https://download.ciscospark.com/windows/1/Spark.application resulted in exception. Following failure messages were detected:

+ Downloading https://f761f1fd9f656f2e2d45-83730c4e8548703e871da6c8c1f49ba7.ssl.cf2.rackcdn.com//1/Application Files/Spark_1_0_0_2326/wme4net/mediasession.dll.deploy did not succeed.

+ Received an unexpected EOF or 0 bytes from the transport stream.

COMPONENT STORE TRANSACTION FAILURE SUMMARY

No transaction error was detected.

WARNINGS

There were no warnings during this operation.

OPERATION PROGRESS STATUS

* [10/6/2015 1:15:57 PM] : Activation of https://download.ciscospark.com/windows/1/Spark.application has started.

* [10/6/2015 1:16:00 PM] : Processing of deployment manifest has successfully completed.

* [10/6/2015 1:16:00 PM] : Installation of the application has started.

* [10/6/2015 1:16:02 PM] : Processing of application manifest has successfully completed.

* [10/6/2015 1:16:02 PM] : Found compatible runtime version 2.0.50727.

* [10/6/2015 1:16:02 PM] : Detecting dependent assembly Sentinel.v3.5Client, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=msil using Sentinel.v3.5Client, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=msil.

* [10/6/2015 1:16:02 PM] : Detecting dependent assembly System.Data.Entity, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil using System.Data.Entity, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil.

* [10/6/2015 1:16:02 PM] : Detecting dependent assembly WindowsBase, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil using WindowsBase, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil.

* [10/6/2015 1:16:02 PM] : Detecting dependent assembly System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil using System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil.

* [10/6/2015 1:16:02 PM] : Detecting dependent assembly System.Data.Entity, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil using System.Data.Entity, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil.

* [10/6/2015 1:16:02 PM] : Request of trust and detection of platform is complete.

ERROR DETAILS

Following errors were detected during this operation.

* [10/6/2015 1:19:07 PM] System.Deployment.Application.DeploymentDownloadException (Unknown subtype)

- Downloading https://f761f1fd9f656f2e2d45-83730c4e8548703e871da6c8c1f49ba7.ssl.cf2.rackcdn.com//1/Application Files/Spark_1_0_0_2326/wme4net/mediasession.dll.deploy did not succeed.

- Source: System.Deployment

- Stack trace:

at System.Deployment.Application.SystemNetDownloader.DownloadSingleFile(DownloadQueueItem next)

at System.Deployment.Application.SystemNetDownloader.DownloadAllFiles()

at System.Deployment.Application.FileDownloader.Download(SubscriptionState subState)

at System.Deployment.Application.DownloadManager.DownloadDependencies(SubscriptionState subState, AssemblyManifest deployManifest, AssemblyManifest appManifest, Uri sourceUriBase, String targetDirectory, String group, IDownloadNotification notification, DownloadOptions options)

at System.Deployment.Application.ApplicationActivator.DownloadApplication(SubscriptionState subState, ActivationDescription actDesc, Int64 transactionId, TempDirectory& downloadTemp)

at System.Deployment.Application.ApplicationActivator.InstallApplication(SubscriptionState& subState, ActivationDescription actDesc)

at System.Deployment.Application.ApplicationActivator.PerformDeploymentActivation(Uri activationUri, Boolean isShortcut, String textualSubId, String deploymentProviderUrlFromExtension, BrowserSettings browserSettings, String& errorPageUrl)

at System.Deployment.Application.ApplicationActivator.ActivateDeploymentWorker(Object state)

--- Inner Exception ---

System.IO.IOException

- Received an unexpected EOF or 0 bytes from the transport stream.

- Source: System

- Stack trace:

at System.Net.ConnectStream.Read(Byte[] buffer, Int32 offset, Int32 size)

at System.Deployment.Application.SystemNetDownloader.DownloadSingleFile(DownloadQueueItem next)

COMPONENT STORE TRANSACTION DETAILS

No transaction information is available.

Regards\Mohamad

dehealy · ‎10-15-2015

Hi,

We have encountered a number of issues similar to this with the Microsoft component "ClickOnce"we use to deploy Spark.

We have been working to address these issues by changing our Spark deployment to an MSI installer.

We hope to roll this out to production early next week.

In the interm can you try the following.

Uninstall Cisco Spark manuall from the Control Panel.

Download/Install Spark again from ciscospark.com

Regards,

Des.

abhijeet.garde1 · ‎06-30-2016

Hi Everyone,

I am using the Spark Windows App version 2.0. Someone mentioned in the previous comments that Windows client is now proxy aware and supports authenticating proxies with Basic, Digest, NTLM, and Negotiate. Do I have to do any special configuration for the Windows client to connect via proxy? I am just launching the app and trying to connect but its not even able to send an email to my registered account.

We use websense proxy over HTTPS in my company.

Any help is really appreciated.

Thanks

Abhi

mpatriota · ‎12-15-2015

Hi Spark Team,

Im deploying a few sparks mobile in my company and need to know how to deploy my mobile ipad´s trough my proxy, firewall.......

We have some issues, like:

How to enable the UDP port to especific subnet range?

I cannot just open the udp port for any ip for security reason.

You guys have a list of subnet range for use with spark?

miro@cisco.com · ‎12-15-2015

We can't provide list of IP range because the services are changing/updating and your users would have poor experience, please refer to this article for which ports are required to be open for Spark to work properly:

Cisco Spark | What are Cisco Spark Firewall and Networ...

darren.collins · ‎12-16-2015

So, nine months down the line from my original post and it still won't work in a typical Enterprise scenario? Outbound HTTPS to an unspecified list of sites? Good luck with that.

Does it support a proxy server at all yet? What about transparent proxying? Does it at least work using ASA CWS integration?

Sebastian Leuser · ‎12-16-2015

Hi Darren,

have you tried the newest versions of Spark with your proxy servers? In our environment the Spark client runs without issues behind the proxies.

Make a try with the newest client.

Sebastian

darren.collins · ‎12-16-2015

v1.0.0.3125 just downloaded from ciscospark.com, same problem as before. Failure message swiftly followed by a crash:

No configuration options anywhere to change the behaviour of the client.

Sebastian Leuser · ‎12-16-2015

Hi Darren,

it seems there is a different issue than the proxies. Without proxy support it was possible for me to start the client. Maybe you could share your log Spark log files and one of the Cisco Spark guys could check.

You can find the log files for Spark in <user directory>\AppData\Local\Spark\Logs

Sebastian